At the moment, it's apparently not possible to use NSG Flow Logs with secured Storage Accounts, even if the exception "Allow trusted Microsoft services to access this storage account" is enabled on the Storage Account.

It would be really helpful if you could add the Network Watcher this list of trusted Microsoft servies, so we can use secured Storage Accounts to store our NSG Flow Logs on.

Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.

It would be great if you can introduce an alert mechanism with all the monitoring it does. For exmaple : similar to what we have for Azure VMs, when the cpu utilization goes down we can configure an alert for the based on the threshold.

Network watcher monitors many many things it should have the capability to generate alerts based on it's monitoring capabilities.

Thank you for your feedback. We are reviewing your suggestion about how we can provide alerting functionality in Network Watcher. It would be helpful if you could comment on which features or monitoring areas you would most like to see alerting.

When a packet capture is running in the Network watcher, you currently have to wait until the capture is complete to view the .pcap file. It would be useful to be able to look at the .pcap file while the capture is running.

Honestly, what are we going to do with you MSFT when it comes to RBAC?

When MSFT puts services into Preview and often months or years after they are so-called GA they still fail to recognize that they are violating Governance, RBAC, rules allowing Azure Services to randomly create Resource Groups in any given Azure Subscription.

The two biggest violators of this right now are Databricks and Network Watcher.

In most cases our clients should be refusing to use these services until they are capable of adhering to Governance and Security rules being enforce by InfoSec and others.

Resource Groups are sacred beasts and must be named and tagged accordingly.

Honestly, what are we going to do with you MSFT when it comes to RBAC?

When MSFT puts services into Preview and often months or years after they are so-called GA they still fail to recognize that they are violating Governance, RBAC, rules allowing Azure Services to randomly create Resource Groups in any given Azure Subscription.

The two biggest violators of this right now are Databricks and Network Watcher.

In most cases our clients should be refusing to use these services until they are capable of adhering to Governance and Security rules being enforce by InfoSec and others.

Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

The new service endpoint monitor is a very welcome addition. The only thing now missing from the OMS solution is a user-friendly way to collect SNMP data. Mainly for monitoring bandwidth usage etc on firewalls & routers.The linux snmpd to OMS logs option is to cumbursome because there's no way to centrally configure this.A snap option in the service endpoint monitor would be perfect for this!

The current implementation of IP flow verify in network watcher shows the name of the rule that is matched for allowing/denying traffic. It doesn't show the name of the effective NSG itself (only the rule in an NSG). A useful addition would be to show the name of the NSG in additional to the matched rule. A click through to the NSG for instant changes would help as well.

Hello,
Is it possible to use OMS - NPM with some kind of API or Poweshell Cmdlet.

I have the following example that I need to solve:

We create VMs and then sometimes they are turned off as they no longer needed for whatever reason. I do not want to still monitor network traffic to this node/VM on Azure.

Currently we have to use the NPM UI configuration to select the node and click the checkbox for 'Use for monitoring` which is open to human error for when we forgot to disable this and more likely we forget to re-enable it when we turn the VM back on.

So I was wondering if there is an API or a Powershell cmdlet we can use in an Azure Runbook to ensure that this value is set correctly.

Thanks,
Warren

Hello,
Is it possible to use OMS - NPM with some kind of API or Poweshell Cmdlet.

I have the following example that I need to solve:

We create VMs and then sometimes they are turned off as they no longer needed for whatever reason. I do not want to still monitor network traffic to this node/VM on Azure.

Currently we have to use the NPM UI configuration to select the node and click the checkbox for 'Use for monitoring` which is open to human error for when we forgot to disable this and more likely we forget to re-enable…

Right now App Insights provides availability tests, but they can only hit external facing sites. The Service Endpoint Monitor fills that gap for any internal sites, but the customer now has to manage 2 separate tool configurations. It would be ideal if App Insights would allow OMS nodes as options on the “Test Locations” list, so all URL testing would be configured in the same place and the respective engines would execute them appropriately

When looking at the NSG Flow Logs at the moment, all traffic from e.g. my local laptop, seems to be flowing directly to the private IP address of my VM.

The source IP is the public IP address of my laptop and the destination IP should, in my opinion, be the public IP address of the VM, not the local private subnet IP (10.x.x.x), when traffic is inbound from the internet.

Yes, the NSG Flow Logs will record the private IP address of the Network Interface. There are scenarios where public IP addresses can be shared across resources (e.g. using an Internet Load Balancer or Application Gateway) therefore we display private IP addresses to be most specific.
The need to preserve Public IPs address traffic flow as part of the flow logs is valued feedback. Thank you for contributing.

2) Query to find app gateway access logs and they show up in about 3 minutes:
AzureDiagnostics
| where TimeGenerated >= now(-15m)
| where clientIP_s !=""
| where Category == "ApplicationGatewayAccessLog"

2) Query to find app gateway access logs and they show up in about 3 minutes:
AzureDiagnostics
| where TimeGenerated >= now(-15m)
| where clientIP_s !=""
| where Category == "ApplicationGatewayAccessLog"